From: Israel Burke [BurkeIsrael850@business.telecomitalia.it]I have only seen one sample of this, it is possible that the company name and sender names are randomly generated. The attachment in this case was named invoice_scan_76926455.doc and has a detection rate of 3/55.
Date: 14 December 2015 at 15:00
Subject: Israel Burke
Attached please find an invoice(s) for payment. Please let us know if you have any questions.
We greatly appreciate your business!
BCP Transportation, Inc.
Despite the name, this is not a Word document but is an XML document [pastebin] containing ActiveMIME data. The Malwr report for this indicates network traffic to:
188.8.131.52 (McHost.Ru, Russia)
184.108.40.206 (SC-Nextra Telecom SRL, Romania)
That Malwr report shows a dropped binary named qqqew.exe which has a VirusTotal detection rate of 5/55.
I am not certain of the payload, but I suspect that this Word document is dropping Upatre leading to the Dyre banking trojan.